Improper Validation of Certificate with Host Mismatch
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-297: Improper Validation of Certificate with Host Mismatch |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The code sends emails over SMTP using SSL/TLS but does not verify the mail server’s SSL certificate identity. This means any certificate is accepted, making the connection vulnerable to impersonation.
Impact#
Without verifying the SMTP server’s SSL certificate, attackers can perform man-in-the-middle attacks to intercept or alter email contents, steal credentials, or send fraudulent emails as if they are from your application, potentially leading to data breaches or loss of trust.